A new security bug in OpenSSL encryption was revealed and patched Thursday, just a few months after Heartbleed threatened hundreds of thousands of secure web servers. The new bug is the most serious of several security breaches revealed by the OpenSSL group in a formal advisory today.
According to the group, the new bug, deemed an “SSL/TLS MITM” vulnerability, could allow a crafty attacker to fiddle with the “handshake” process that occurs between a client and server when an encrypted connection is being established. The hacker could then force the client and server to use weak keys, which would in turn allow a “man-in-the-middle” attacker to decrypt and modify traffic between the two.
In other words: it allows someone snooping your connection to neutralize your web encryption process.
Furthermore, the bug is present in all versions of OpenSSL, and according to Google software engineer Adam Langley, who’s thrown up a technically elaborate analysis of the bug here, it may have been in existence for the last 15 (or more) years.
OpenSSL is an open source encryption tool, developed by the volunteer-based OpenSSL Group, and used by a majority of online servers to facilitate the secure exchange of information, like usernames and passwords. It’s been under the gun since the Heartbleed bug prompted a worldwide security panic.
What does the bug mean for you? While all servers using OpenSSL are at risk until they’ve been upgraded, the bug only affects clients that use the OpenSSL protocol. Thus most major browsers (Chrome, Firefox, Internet Explorer, Safari) aren’t at risk, though browsers that do use OpenSSL, like Chrome on Android, may be affected.
If you’re up for a bit of technical reading, the person who discovered the bug, Masashi Kikuchi, explains how he found and patched it here. And the good news is that the bug’s revelation goes hand-in-glove with an official OpenSSL fix (based in part on Masashi’s patch). The most important next step in thwarting the bug is for anyone running an OpenSSL-based server to apply the OpenSSL Group’s recommended updates.